<!DOCTYPE html>
<html lang="en-US">
<head>
	<!-- Google Optimize Anti-flicker -->
<style>.async-hide { opacity: 0 !important} </style> <script>(function(a,s,y,n,c,h,i,d,e){s.className+=' '+y;h.start=1*new Date; h.end=i=function(){s.className=s.className.replace(RegExp(' ?'+y),'')}; (a[n]=a[n]||[]).hide=h;setTimeout(function(){i();h.end=null},c);h.timeout=c; })(window,document.documentElement,'async-hide','dataLayer',4000, {'GTM-KC95766':true});</script>
<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-KC95766');</script>
<!-- End Google Tag Manager -->
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

    <meta http-equiv="cache-control" content="max-age=0" />
    <meta http-equiv="cache-control" content="no-cache" />
    <meta http-equiv="expires" content="0" />
    <meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
    <meta http-equiv="pragma" content="no-cache" />
    <link rel="icon" type="image/png" href="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/fav.png" />
    <link rel="preload" href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet">
    <!-- Facebook Pixel Code --> <script> !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n; n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window, document,'script','https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '128260767783916'); // Insert your pixel ID here. fbq('track', 'PageView'); </script>
    <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=128260767783916&ev=PageView&noscript=1" /></noscript> 
    <!-- DO NOT MODIFY --> <!-- End Facebook Pixel Code -->
	<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	<!-- This site is optimized with the Yoast SEO plugin v17.6 - https://yoast.com/wordpress/plugins/seo/ -->
	<title>IPStorm Now Has a Linux Malware - Intezer</title>
	<meta name="description" content="Using Golang, the predominantly Windows IPStorm malware is now multi-platform. New variants targeting Linux architectures share code with Windows samples first reported by Anomali in 2019. In addition to creating a backdoor, IPStorm Linux malware conducts ad fraud and attempts to spread to more victims via SSH brute-force." />
	<link rel="canonical" href="https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:description" content="Using Golang, the predominantly Windows IPStorm malware is now multi-platform. New variants targeting Linux architectures share code with Windows samples first reported by Anomali in 2019. In addition to creating a backdoor, IPStorm Linux malware conducts ad fraud and attempts to spread to more victims via SSH brute-force." />
	<meta property="og:url" content="https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/" />
	<meta property="og:site_name" content="Intezer" />
	<meta property="article:publisher" content="https://www.facebook.com/IntezerLabs/" />
	<meta property="article:published_time" content="2020-10-01T13:05:15+00:00" />
	<meta property="article:modified_time" content="2021-03-21T14:09:22+00:00" />
	<meta property="og:image" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/shutterstock_1686249253-2.jpg" />
	<meta property="og:image:width" content="1204" />
	<meta property="og:image:height" content="475" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:creator" content="@IntezerLabs" />
	<meta name="twitter:site" content="@IntezerLabs" />
	<meta name="twitter:label1" content="Written by" />
	<meta name="twitter:data1" content="Nicole Fishbein" />
	<meta name="twitter:label2" content="Est. reading time" />
	<meta name="twitter:data2" content="15 minutes" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.intezer.com/#organization","name":"Intezer","url":"https://www.intezer.com/","sameAs":["https://www.facebook.com/IntezerLabs/","https://www.linkedin.com/company/intezer-labs/","https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ","https://twitter.com/IntezerLabs"],"logo":{"@type":"ImageObject","@id":"https://www.intezer.com/#logo","inLanguage":"en-US","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","width":512,"height":512,"caption":"Intezer"},"image":{"@id":"https://www.intezer.com/#logo"}},{"@type":"WebSite","@id":"https://www.intezer.com/#website","url":"https://www.intezer.com/","name":"Intezer","description":"","publisher":{"@id":"https://www.intezer.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.intezer.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/#primaryimage","inLanguage":"en-US","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/shutterstock_1686249253-2.jpg","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/shutterstock_1686249253-2.jpg","width":1204,"height":475},{"@type":"WebPage","@id":"https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/#webpage","url":"https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/","name":"IPStorm Now Has a Linux Malware - Intezer","isPartOf":{"@id":"https://www.intezer.com/#website"},"primaryImageOfPage":{"@id":"https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/#primaryimage"},"datePublished":"2020-10-01T13:05:15+00:00","dateModified":"2021-03-21T14:09:22+00:00","description":"Using Golang, the predominantly Windows IPStorm malware is now multi-platform. New variants targeting Linux architectures share code with Windows samples first reported by Anomali in 2019. In addition to creating a backdoor, IPStorm Linux malware conducts ad fraud and attempts to spread to more victims via SSH brute-force.","breadcrumb":{"@id":"https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/"]}]},{"@type":"BreadcrumbList","@id":"https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.intezer.com/"},{"@type":"ListItem","position":2,"name":"A Storm is Brewing: IPStorm Now Has Linux Malware"}]},{"@type":"Article","@id":"https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/#article","isPartOf":{"@id":"https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/#webpage"},"author":{"@id":"https://www.intezer.com/#/schema/person/9947f194fca867fdd973a2a37652290a"},"headline":"A Storm is Brewing: IPStorm Now Has Linux Malware","datePublished":"2020-10-01T13:05:15+00:00","dateModified":"2021-03-21T14:09:22+00:00","mainEntityOfPage":{"@id":"https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/#webpage"},"wordCount":3059,"publisher":{"@id":"https://www.intezer.com/#organization"},"image":{"@id":"https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/#primaryimage"},"thumbnailUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/shutterstock_1686249253-2.jpg","keywords":["IPStorm","Linux","malware"],"articleSection":["Malware Analysis","Research"],"inLanguage":"en-US"},{"@type":"Person","@id":"https://www.intezer.com/#/schema/person/9947f194fca867fdd973a2a37652290a","name":"Nicole Fishbein","image":{"@type":"ImageObject","@id":"https://www.intezer.com/#personlogo","inLanguage":"en-US","url":"https://secure.gravatar.com/avatar/eec919c35144db28ea1ee1d966d9487c?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/eec919c35144db28ea1ee1d966d9487c?s=96&d=mm&r=g","caption":"Nicole Fishbein"},"url":"https://www.intezer.com/author/nicolefishbein/"}]}</script>
	<!-- / Yoast SEO plugin. -->


<link rel='dns-prefetch' href='//js.hs-scripts.com' />
<link rel='dns-prefetch' href='//www.google.com' />
<link rel='dns-prefetch' href='//s.w.org' />
<link rel='dns-prefetch' href='//c0.wp.com' />
<link rel="alternate" type="application/rss+xml" title="Intezer &raquo; Feed" href="https://www.intezer.com/feed/" />
<link rel="alternate" type="application/rss+xml" title="Intezer &raquo; Comments Feed" href="https://www.intezer.com/comments/feed/" />
		<script type="text/javascript">
			window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/www.intezer.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=0aeebf0e297002559f8cf4ab5cad896d"}};
			!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode;p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([10084,65039,8205,55357,56613],[10084,65039,8203,55357,56613])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source||{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings);
		</script>
		<style type="text/css">
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 .07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link rel='stylesheet' id='wp-block-library-css'  href='https://c0.wp.com/c/5.8.2/wp-includes/css/dist/block-library/style.min.css' media='all' />
<style id='wp-block-library-inline-css' type='text/css'>
.has-text-align-justify{text-align:justify;}
</style>
<link rel='stylesheet' id='mediaelement-css'  href='https://c0.wp.com/c/5.8.2/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css' media='all' />
<link rel='stylesheet' id='wp-mediaelement-css'  href='https://c0.wp.com/c/5.8.2/wp-includes/js/mediaelement/wp-mediaelement.min.css' media='all' />
<link rel='stylesheet' id='contact-form-7-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.5.2' media='all' />
<link rel='stylesheet' id='bootstrap_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/bootstrap.css?ver=0aeebf0e297002559f8cf4ab5cad896d' media='all' />
<link rel='stylesheet' id='fontawesome_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/font-awesome.min.css?ver=0aeebf0e297002559f8cf4ab5cad896d' media='all' />
<link rel='stylesheet' id='main_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/style.css?ver=1640305925' media='all' />
<link rel='stylesheet' id='wpdreams-asl-basic-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style.basic.css?ver=4.9.5' media='all' />
<link rel='stylesheet' id='wpdreams-ajaxsearchlite-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style-curvy-blue.css?ver=4.9.5' media='all' />
<link rel='stylesheet' id='slb_core-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/client/css/app.css?ver=2.8.1' media='all' />
<link rel='stylesheet' id='addtoany-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.css?ver=1.15' media='all' />
<link rel='stylesheet' id='cf7cf-style-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/style.css?ver=2.0.7' media='all' />
<link rel='stylesheet' id='jetpack_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/css/jetpack.css?ver=10.5-a.3' media='all' />
<script type='text/javascript' id='addtoany-js-after'>
window.a2a_config=window.a2a_config||{};a2a_config.callbacks=[];a2a_config.overlays=[];a2a_config.templates={};
(function(d,s,a,b){a=d.createElement(s);b=d.getElementsByTagName(s)[0];a.async=1;a.src="https://static.addtoany.com/menu/page.js";b.parentNode.insertBefore(a,b);})(document,"script");
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/jquery-3.2.1.min.js?ver=0aeebf0e297002559f8cf4ab5cad896d' id='jquery-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.js?ver=1.1' id='addtoany-jquery-js'></script>
<link rel="https://api.w.org/" href="https://www.intezer.com/wp-json/" /><link rel="alternate" type="application/json" href="https://www.intezer.com/wp-json/wp/v2/posts/12439" /><link rel='shortlink' href='https://www.intezer.com/?p=12439' />
<link rel="alternate" type="application/json+oembed" href="https://www.intezer.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fresearch%2Fa-storm-is-brewing-ipstorm-now-has-linux-malware%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://www.intezer.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fresearch%2Fa-storm-is-brewing-ipstorm-now-has-linux-malware%2F&#038;format=xml" />
			<!-- DO NOT COPY THIS SNIPPET! Start of Page Analytics Tracking for HubSpot WordPress plugin v8.4.329-->
			<script type="text/javascript">
				var _hsq = _hsq || [];
				_hsq.push(["setContentType", "blog-post"]);
			</script>
			<!-- DO NOT COPY THIS SNIPPET! End of Page Analytics Tracking for HubSpot WordPress plugin -->
						<script>
				(function() {
					var hbspt = window.hbspt = window.hbspt || {};
					hbspt.forms = hbspt.forms || {};
					hbspt._wpFormsQueue = [];
					hbspt.enqueueForm = function(formDef) {
						if (hbspt.forms && hbspt.forms.create) {
							hbspt.forms.create(formDef);
						} else {
							hbspt._wpFormsQueue.push(formDef);
						}
					}
					if (!window.hbspt.forms.create) {
						Object.defineProperty(window.hbspt.forms, 'create', {
							configurable: true,
							get: function() {
								return hbspt._wpCreateForm;
							},
							set: function(value) {
								hbspt._wpCreateForm = value;
								while (hbspt._wpFormsQueue.length) {
									var formDef = hbspt._wpFormsQueue.shift();
									if (!document.currentScript) {
										var formScriptId = 'leadin-forms-v2-js';
										hubspot.utils.currentScript = document.getElementById(formScriptId);
									}
									hbspt._wpCreateForm.call(hbspt.forms, formDef);
								}
							},
						});
					}
				})();
			</script>
		<script type="text/javascript">
(function(url){
	if(/(?:Chrome\/26\.0\.1410\.63 Safari\/537\.31|WordfenceTestMonBot)/.test(navigator.userAgent)){ return; }
	var addEvent = function(evt, handler) {
		if (window.addEventListener) {
			document.addEventListener(evt, handler, false);
		} else if (window.attachEvent) {
			document.attachEvent('on' + evt, handler);
		}
	};
	var removeEvent = function(evt, handler) {
		if (window.removeEventListener) {
			document.removeEventListener(evt, handler, false);
		} else if (window.detachEvent) {
			document.detachEvent('on' + evt, handler);
		}
	};
	var evts = 'contextmenu dblclick drag dragend dragenter dragleave dragover dragstart drop keydown keypress keyup mousedown mousemove mouseout mouseover mouseup mousewheel scroll'.split(' ');
	var logHuman = function() {
		if (window.wfLogHumanRan) { return; }
		window.wfLogHumanRan = true;
		var wfscr = document.createElement('script');
		wfscr.type = 'text/javascript';
		wfscr.async = true;
		wfscr.src = url + '&r=' + Math.random();
		(document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(wfscr);
		for (var i = 0; i < evts.length; i++) {
			removeEvent(evts[i], logHuman);
		}
	};
	for (var i = 0; i < evts.length; i++) {
		addEvent(evts[i], logHuman);
	}
})('//www.intezer.com/?wordfence_lh=1&hid=6CD977D31315C254F1E498193B0C65C7');
</script><style type='text/css'>img#wpstats{display:none}</style>
						<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
				<link rel="preload" as="style" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" />
				<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" media="all" />
							<style type="text/css">
				/* If html does not have either class, do not show lazy loaded images. */
				html:not( .jetpack-lazy-images-js-enabled ):not( .js ) .jetpack-lazy-image {
					display: none;
				}
			</style>
			<script>
				document.documentElement.classList.add(
					'jetpack-lazy-images-js-enabled'
				);
			</script>
		                <style>
                    
					@font-face {
						font-family: 'aslsicons2';
						src: url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.eot');
						src: url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.eot?#iefix') format('embedded-opentype'),
							 url('https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.woff2') format('woff2'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.woff') format('woff'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.ttf') format('truetype'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.svg#icons') format('svg');
						font-weight: normal;
						font-style: normal;
					}
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label {
						font-size: 0px !important;
						color: rgba(0, 0, 0, 0);
					}
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label:after {
						font-size: 11px !important;
						position: absolute;
						top: 0;
						left: 0;
						z-index: 1;
					}
					div[id*='ajaxsearchlite'].wpdreams_asl_container {
						width: 100%;
						margin: 0px 0px 14px 0px;
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results div.resdrg span.highlighted {
						font-weight: bold;
						color: rgba(48, 138, 255, 1);
						background-color: rgb(255, 255, 255);
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results .results div.asl_image {
						width: 84px;
						height: 60px;
						background-size: cover;
						background-repeat: no-repeat;
					}
					div.asl_r .results {
						max-height: none;
					}
				
						.asl_m .probox svg {
							fill: rgba(204, 216, 228, 1) !important;
						}
						.asl_m .probox .innericon {
							background-color: rgba(255, 255, 255, 1) !important;
							background-image: none !important;
							-webkit-background-image: none !important;
							-ms-background-image: none !important;
						}
					
						div.asl_m.asl_w {
							border:1px solid rgba(48, 138, 255, 1) !important;border-radius:7px 7px 7px 7px !important;
							box-shadow: none !important;
						}
						div.asl_m.asl_w .probox {border: none !important;}
					
						div.asl_r.asl_w.vertical .results .item::after {
							display: block;
							position: absolute;
							bottom: 0;
							content: '';
							height: 1px;
							width: 100%;
							background: #D8D8D8;
						}
						div.asl_r.asl_w.vertical .results .item.asl_last_item::after {
							display: none;
						}
					 div.asl_m.asl_w {
    margin: auto;
    max-width: 820px;
}
div.asl_w .probox .promagnifier {
    order: 1;
}
div.asl_r .results .item .asl_content h3, div.asl_r .results .item .asl_content h3 a {
    font-weight: 600;
    color: #233b52;
}

div.asl_r .results .item .asl_content h3 a:hover {
    font-weight: 600;
    color: #233b52;
}

.wpdreams_asl_results .results div.asl_image {
    border-radius: 7px;
}

p.asl_desc {
    color: #849eb5;
}
span.asl_nores_header {
    font-size: 14px;
}                </style>
                			<script type="text/javascript">
                if ( typeof _ASL !== "undefined" && _ASL !== null && typeof _ASL.initialize !== "undefined" ) {
					_ASL.initialize();
				}
            </script>
            <link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-32x32.png" sizes="32x32" />
<link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-192x192.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-180x180.png" />
<meta name="msapplication-TileImage" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-270x270.png" />
<link rel="stylesheet" type="text/css" id="wp-custom-css" href="https://www.intezer.com/?custom-css=79c8f516d6" />



</head>

<body class="post-template-default single single-post postid-12439 single-format-standard wp-custom-logo a-storm-is-brewing-ipstorm-now-has-linux-malware elementor-default elementor-kit-8921">

<!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KC95766"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->
    <div class="background-pop"></div>
<div id="top-bar-spacer"><div id="top-bar"><span class="desktop-title">Analyze malware and unknown files for free</span><span class="mobile-title">Analyze malware for free</span>&nbsp;<a class="top-bar-link" href="https://analyze.intezer.com/?_gl=1*1pgz7dk*_gcl_aw*R0NMLjE2MzMwMzI1ODkuQ2owS0NRand3TldLQmhEQUFSSXNBSjhIa2hjMUsxYzg5MXJyZzhKVU5sdmVUM2c1b0tBdUE1Q3g5MUhHVXctTDJCb3Y4X0owLTR6OF8zb2FBaFRERUFMd193Y0I.">analyze.intezer.com</a></div></div>    <header id="header">
        <nav class="navbar navbar-toggleable-sm navbar-inverse bg-faded fixed-top" id="main-menu">
                <button class="navbar-toggler navbar-toggler-right" type="button" data-toggle="collapse"
                        data-target="#top-navbar" aria-controls="top-navbar" aria-expanded="false"
                        aria-label="Toggle navigation">
                    <span class="navbar-toggler-icon"></span>
                </button>
                <div class="search-bar show-mobile">
                	<img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/search-ico.png" alt="">
                </div>
                <div class="show-mobile"><form role="search" method="get" class="search-form" action="https://www.intezer.com/">
				<label>
					<span class="screen-reader-text">Search for:</span>
					<input type="search" class="search-field" placeholder="Search &hellip;" value="" name="s" />
				</label>
				<input type="submit" class="search-submit" value="Search" />
			</form></div>
                <a class="navbar-brand" href="https://www.intezer.com/">
                    <a class="logo-link" href="https://www.intezer.com"><img class="logo-img" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/intezer-logo-n.png" alt="intezer"></a>                </a>
                <div class="collapse navbar-collapse" id="top-navbar">
                    <ul id="menu-top-menu" class="navbar-nav ml-auto"><li id="menu-item-13604" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-13604 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Analyze</a></li>
<li id="menu-item-16601" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-16601 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-protect/">Protect</a></li>
<li id="menu-item-131" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-131 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15962" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15962 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-1368" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1368 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15894" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15894 nav-item"><a class="nav-link" target="_blank" href="https://support.intezer.com/hc/en-us">Docs</a></li>
</ul>
</li>
<li id="menu-item-20994" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20994 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-3061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-3061 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-114" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-114 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-70" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-70 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-7096" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7096 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-8417" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8417 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
</ul>
</li>
<li id="menu-item-22200" class="desktop-login menu-item menu-item-type-custom menu-item-object-custom menu-item-22200 nav-item"><a class="nav-link" href="https://analyze.intezer.com/sign-in/?utm_campaign=login-btn&#038;utm_source=intezer">Log in</a></li>
<li id="menu-item-1028" class="try-now desktop-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-1028 nav-item"><a class="nav-link" href="https://analyze.intezer.com/"><span class="glyphicon Try it Now"></span>&nbsp;Sign up</a></li>
<li id="menu-item-5106" class="try-now mobile-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-5106 nav-item"><a class="nav-link" href="https://analyze.intezer.com/"><span class="glyphicon Try our free Community Edition"></span>&nbsp;Sign up</a></li>
</ul>                    <div class="search-bar show-desktop">
                    	<img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/search-ico.png" alt="">
                    </div>
                    <div class="show-desktop"><form role="search" method="get" class="search-form" action="https://www.intezer.com/">
				<label>
					<span class="screen-reader-text">Search for:</span>
					<input type="search" class="search-field" placeholder="Search &hellip;" value="" name="s" />
				</label>
				<input type="submit" class="search-submit" value="Search" />
			</form></div>
                </div>

        </nav>
 		<section data-elementor-type="section" data-elementor-id="16929" class="elementor elementor-16929" data-elementor-settings="[]">
		<div class="elementor-section-wrap">
					<section class="elementor-section elementor-top-section elementor-element elementor-element-d8295c2 elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="d8295c2" data-element_type="section" id="analyze-pop" data-settings="{&quot;background_background&quot;:&quot;classic&quot;}">
						<div class="elementor-container elementor-column-gap-wide">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1195e9a" data-id="1195e9a" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<section class="elementor-section elementor-inner-section elementor-element elementor-element-a9b9c3b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="a9b9c3b" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-ebed2f0" data-id="ebed2f0" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-dd715e2 elementor-widget elementor-widget-image" data-id="dd715e2" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://www.intezer.com/intezer-analyze/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/thumbs/logo-analize-logo-trans-ozsmvqchu4xq3efimwjdhr1x8rgjihbqxejnle9j9u.png" title="logo-analize-logo-trans" alt="Intezer Analyze" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-43be782 elementor-widget elementor-widget-heading" data-id="43be782" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<div class="elementor-heading-title elementor-size-default"><b>Malware Analysis Platform</b><br>Connect to the world’s largest genetic threat catalog. Analyze, detect and stay current on the latest threats under one platform.</div>		</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-c353d36" data-id="c353d36" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-7706e29 museo500 elementor-widget elementor-widget-heading" data-id="7706e29" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Used by</h2>		</div>
				</div>
				<div class="elementor-element elementor-element-42b2532 pop-list star-list elementor-widget elementor-widget-text-editor" data-id="42b2532" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<ul><li>IR/SOC Teams</li><li>Threat Intel Teams</li><li><a href="https://www.intezer.com/resource/intezer-analyze-for-government-and-national/">Government</a></li><li><a href="https://www.intezer.com/resource/intezer-analyze-for-managed-security-service-provider-mssp/">MSSPs</a></li></ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-4ec0966 elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="4ec0966" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-100 elementor-inner-column elementor-element elementor-element-aaa60e7" data-id="aaa60e7" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-a9e57aa museo500 elementor-widget elementor-widget-heading" data-id="a9e57aa" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Used for</h2>		</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-d7fcc8b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="d7fcc8b" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-33 elementor-inner-column elementor-element elementor-element-24b0c8b" data-id="24b0c8b" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-8a272db elementor-widget elementor-widget-heading" data-id="8a272db" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<div class="elementor-heading-title elementor-size-default">Incident Response</div>		</div>
				</div>
				<div class="elementor-element elementor-element-28a8d9a pop-list elementor-widget elementor-widget-text-editor" data-id="28a8d9a" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<ul><li><div class="">File scanning</div></li><li><div class="">URL scanning</div></li><li><div class="">Sandboxing</div></li><li><div class="">Malware classification &amp; attribution</div></li><li><div class="">Machine and memory dump scanning</div></li></ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-33 elementor-inner-column elementor-element elementor-element-2989eef" data-id="2989eef" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-92d19ca elementor-widget elementor-widget-heading" data-id="92d19ca" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<div class="elementor-heading-title elementor-size-default">Threat Intelligence</div>		</div>
				</div>
				<div class="elementor-element elementor-element-248a633 pop-list elementor-widget elementor-widget-text-editor" data-id="248a633" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<ul><li><div class="">Track threat families</div></li><li><div class="">Extract IoCs and TTPs</div></li><li><div class="">Hunting with YARA</div></li></ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-33 elementor-inner-column elementor-element elementor-element-9765d59" data-id="9765d59" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-197f34b elementor-widget elementor-widget-heading" data-id="197f34b" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<div class="elementor-heading-title elementor-size-default">Supply Chain Security</div>		</div>
				</div>
				<div class="elementor-element elementor-element-b80b5c6 pop-list elementor-widget elementor-widget-text-editor" data-id="b80b5c6" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<ul>
 	<li>
<div class="">Scan third-party software</div></li>
 	<li>
<div class="">Scan software before release</div></li>
 	<li>
<div class="">File upload security</div></li>
</ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-59d8717 elementor-section-content-bottom elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="59d8717" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-d1caad7" data-id="d1caad7" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-8616ac1 elementor-align-left elementor-mobile-align-center elementor-widget elementor-widget-button" data-id="8616ac1" data-element_type="widget" id="pop-link" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://www.intezer.com/intezer-analyze/" class="elementor-button-link elementor-button elementor-size-sm" role="button">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Learn More</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-565e380" data-id="565e380" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-d956561 elementor-align-left elementor-mobile-align-center main-menu-button elementor-widget elementor-widget-button" data-id="d956561" data-element_type="widget" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://analyze.intezer.com/create-account" target="_blank" class="elementor-button-link elementor-button elementor-size-xs" role="button" id="get-started-analyze">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Get Started</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				</div>
		</section>
				<div data-elementor-type="page" data-elementor-id="17075" class="elementor elementor-17075" data-elementor-settings="[]">
						<div class="elementor-inner">
							<div class="elementor-section-wrap">
							<section class="elementor-section elementor-top-section elementor-element elementor-element-d8295c2 elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="d8295c2" data-element_type="section" id="protect-pop" data-settings="{&quot;background_background&quot;:&quot;classic&quot;}">
						<div class="elementor-container elementor-column-gap-wide">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1195e9a" data-id="1195e9a" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<section class="elementor-section elementor-inner-section elementor-element elementor-element-a9b9c3b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="a9b9c3b" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-ebed2f0" data-id="ebed2f0" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-dd715e2 elementor-widget elementor-widget-image" data-id="dd715e2" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://www.intezer.com/intezer-protect/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/thumbs/protect-logo-ozsn131er69i7gnmdptw6wff0r2scfkpzwa6z4btua.png" title="protect-logo" alt="Intezer Protect Logo" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-43be782 elementor-widget elementor-widget-heading" data-id="43be782" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<div class="elementor-heading-title elementor-size-default"><b>Threat Detection for Cloud and Data Centers</b><br>Protect your Linux and Kubernetes data centers against the latest threats.</div>		</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-c353d36" data-id="c353d36" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-7706e29 museo500 elementor-widget elementor-widget-heading" data-id="7706e29" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Capabilities</h2>		</div>
				</div>
				<div class="elementor-element elementor-element-42b2532 pop-list star-list elementor-widget elementor-widget-text-editor" data-id="42b2532" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<ul><li>Real-time Threat Detection</li><li>Runtime Code Visibility &amp; Control</li><li>Vulnerability Management</li><li>Cloud Compliance</li></ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-4ec0966 elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="4ec0966" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-100 elementor-inner-column elementor-element elementor-element-aaa60e7" data-id="aaa60e7" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-a9e57aa museo500 elementor-widget elementor-widget-heading" data-id="a9e57aa" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Security for</h2>		</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-d7fcc8b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="d7fcc8b" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-24b0c8b" data-id="24b0c8b" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-2dfe54d elementor-widget elementor-widget-image" data-id="2dfe54d" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
											<a href="https://www.intezer.com/intezer-protect/linux-server-security/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/linux-pop.png" class="attachment-full size-full jetpack-lazy-image" alt="Linux Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/linux-pop.png?is-pending-load=1" srcset="" />								</a>
											<figcaption class="widget-image-caption wp-caption-text">Linux Servers</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-e591d3f" data-id="e591d3f" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-60f984a elementor-widget elementor-widget-image" data-id="60f984a" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
											<a href="https://www.intezer.com/intezer-protect/kubernetes-security/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/kubernetes-pop.png" class="attachment-full size-full jetpack-lazy-image" alt="Kubernetes Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/kubernetes-pop.png?is-pending-load=1" srcset="" />								</a>
											<figcaption class="widget-image-caption wp-caption-text">Kubernetes</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-5890682" data-id="5890682" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-0aceee8 elementor-widget elementor-widget-image" data-id="0aceee8" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
											<a href="https://www.intezer.com/intezer-protect/container-security/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/containers-pop.jpg" class="attachment-full size-full jetpack-lazy-image" alt="Containers Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/containers-pop.jpg?is-pending-load=1" srcset="" />								</a>
											<figcaption class="widget-image-caption wp-caption-text">Containers</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-c36e16f" data-id="c36e16f" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-cc285f7 elementor-widget elementor-widget-image" data-id="cc285f7" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
										<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/aws-pop.png" class="attachment-full size-full jetpack-lazy-image" alt="AWS Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/aws-pop.png?is-pending-load=1" srcset="" />											<figcaption class="widget-image-caption wp-caption-text">AWS</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-6a2cb7f" data-id="6a2cb7f" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-1cf61dd elementor-widget elementor-widget-image" data-id="1cf61dd" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
										<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/google-pop.png" class="attachment-full size-full jetpack-lazy-image" alt="Google Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/google-pop.png?is-pending-load=1" srcset="" />											<figcaption class="widget-image-caption wp-caption-text">Google Cloud</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-16 elementor-inner-column elementor-element elementor-element-3fb89fd" data-id="3fb89fd" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-5f22335 elementor-widget elementor-widget-image" data-id="5f22335" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
									<figure class="wp-caption">
										<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/azure-pop.png" class="attachment-full size-full jetpack-lazy-image" alt="Azure Icon" loading="lazy" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/02/azure-pop.png?is-pending-load=1" srcset="" />											<figcaption class="widget-image-caption wp-caption-text">Azure</figcaption>
										</figure>
								</div>
						</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-59d8717 elementor-section-content-bottom elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="59d8717" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-d1caad7" data-id="d1caad7" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-8616ac1 elementor-align-left elementor-mobile-align-center elementor-widget elementor-widget-button" data-id="8616ac1" data-element_type="widget" id="pop-link" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://www.intezer.com/intezer-protect/" class="elementor-button-link elementor-button elementor-size-sm" role="button">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Learn More</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-565e380" data-id="565e380" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-d956561 elementor-align-left elementor-mobile-align-center main-menu-button elementor-widget elementor-widget-button" data-id="d956561" data-element_type="widget" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://protect.intezer.com/signup" target="_blank" class="elementor-button-link elementor-button elementor-size-xs" role="button" id="get-started-protect ">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Get Started</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
						</div>
						</div>
					</div>
		    </header><div class="popup"><div role="form" class="wpcf7" id="wpcf7-f468-o1" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/#wpcf7-f468-o1" method="post" class="wpcf7-form init clearfix" novalidate="novalidate" data-status="init" id="request-demo-form">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="468" />
<input type="hidden" name="_wpcf7_version" value="5.5.2" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f468-o1" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:468,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div class="cf-field cf-field-left cf-fname">
<span class="cf-label">First Name</span><br />
<span class="wpcf7-form-control-wrap FirstName"><input type="text" name="FirstName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-lname">
<span class="cf-label">Last Name</span><br />
<span class="wpcf7-form-control-wrap LastName"><input type="text" name="LastName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="cf-label">Job Title</span><br />
<span class="wpcf7-form-control-wrap JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-company">
<span class="cf-label">Company</span><br />
<span class="wpcf7-form-control-wrap Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Email</span><br />
<span class="wpcf7-form-control-wrap EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field">
<span class="cf-label">Country</span><br />
<span class="wpcf7-form-control-wrap mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value=""></option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova">Moldova</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania">Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Vietnam">Vietnam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Phone</span><br />
<span class="wpcf7-form-control-wrap mx_phone"><input type="tel" name="mx_phone" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-tel wpcf7-validates-as-required wpcf7-validates-as-tel w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-field">
<input type="submit" value="Submit" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<p><script>
document.addEventListener( 'wpcf7mailsent', function( event ) {
 window.dataLayer.push({
 "event" : "request-submission",
 "formId" : event.detail.contactFormId,
 "response" : event.detail.inputs
 })
}); 
</script></p>
<p style="display: none !important;"><label>&#916;<textarea name="_wpcf7_ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js" name="_wpcf7_ak_js" value="77"/><script>document.getElementById( "ak_js" ).setAttribute( "value", ( new Date() ).getTime() );</script></p><div class="wpcf7-response-output" aria-hidden="true"></div></form></div></div>

<!-- Schema -->

<script type="application/ld+json">
{
  "@context": "https://schema.org",
  "@type": "Article",
  "mainEntityOfPage": {
    "@type": "WebPage",
    "@id": "https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/"
  },
  "headline": "A Storm is Brewing: IPStorm Now Has Linux Malware",
  "image": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/shutterstock_1686249253-2.jpg",  
  "author": {
    "@type": "Organization",
    "name": "Intezer"
  },  
  "publisher": {
    "@type": "Organization",
    "name": "Intezer",
    "logo": {
      "@type": "ImageObject",
      "url": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/02/Round-Logo-60x60.jpg",
      "width": 50,
      "height": 50
    }
  },
  "datePublished": "2020-10-01"
}
</script>

<!-- End schema -->



	<div id="primary" class="content-area">
	    <div class="container">
		    <div class="single-post-page">
				<h1 class="entry-title t-dianne">A Storm is Brewing: IPStorm Now Has Linux Malware</h1><div class="row top-meta"><div class="col-md-12"><div class="author-box clearfix"><div class="user-bio"><span class="author-light">Written by </span><a href="https://www.intezer.com/author/nicolefishbein/" title="Posts by Nicole Fishbein" class="author url fn" rel="author">Nicole Fishbein</a> and <a href="https://www.intezer.com/author/avigayil/" title="Posts by Avigayil Mechtinger" class="author url fn" rel="author">Avigayil Mechtinger</a><span class="author-date"> - 1 October 2020</span></div></div></div><div class="main-blog-image"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/shutterstock_1686249253-2.jpg" class="featured-img"></div></div><div class="row blog-cont"><div class="col-md-2 blog-side"><div class="blog-side-subscribe"><div role="form" class="wpcf7" id="wpcf7-f15120-o2" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/#wpcf7-f15120-o2" method="post" class="wpcf7-form init" novalidate="novalidate" data-status="init">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="15120" />
<input type="hidden" name="_wpcf7_version" value="5.5.2" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f15120-o2" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:15120,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div class="cf-field cf-field-left cf-fname">
<span class="cf-label">First Name</span><br />
<span class="wpcf7-form-control-wrap FirstName"><input type="text" name="FirstName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" placeholder="First Name" /></span>
</div>
<div class="cf-field cf-lname">
<span class="cf-label">Last Name</span><br />
<span class="wpcf7-form-control-wrap LastName"><input type="text" name="LastName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" placeholder="Last Name" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="cf-label">Job Title</span><br />
<span class="wpcf7-form-control-wrap JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" placeholder="Job Title" /></span>
</div>
<div class="cf-field cf-company">
<span class="cf-label">Company</span><br />
<span class="wpcf7-form-control-wrap Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" placeholder="Company" /></span>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Email</span><br />
<span class="wpcf7-form-control-wrap EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" placeholder="Email" /></span>
</div>
<div class="cf-field">
<span class="cf-label">Country</span><br />
<span class="wpcf7-form-control-wrap mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Country</option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova, Republic of">Moldova, Republic of</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania; officially the United Republic of Tanzania">Tanzania; officially the United Republic of Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Viet Nam">Viet Nam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-field cf-submit">
<input type="submit" value="Subscribe" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<p style="display: none !important;"><label>&#916;<textarea name="_wpcf7_ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js" name="_wpcf7_ak_js" value="119"/><script>document.getElementById( "ak_js" ).setAttribute( "value", ( new Date() ).getTime() );</script></p><div class="wpcf7-response-output" aria-hidden="true"></div></form></div><div class="btn-sub-show"><a href="javascript:void(0)" class="btn btn-prim dodger">Subscribe to Our Blog</a></div><div class="side-blog-btn"><div>Join our free community</div><a href="/get-started/" class="btn btn-prim dodger">Get started</a></div><div class="side-blog-share"">Share Article<div class="a2a_kit a2a_kit_size_ addtoany_list" data-a2a-url="https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/" data-a2a-title="A Storm is Brewing: IPStorm Now Has Linux Malware"><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fresearch%2Fa-storm-is-brewing-ipstorm-now-has-linux-malware%2F&amp;linkname=A%20Storm%20is%20Brewing%3A%20IPStorm%20Now%20Has%20Linux%20Malware" title="Facebook" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/facebook.png" alt="Facebook"></a><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fresearch%2Fa-storm-is-brewing-ipstorm-now-has-linux-malware%2F&amp;linkname=A%20Storm%20is%20Brewing%3A%20IPStorm%20Now%20Has%20Linux%20Malware" title="Twitter" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/twitter.png" alt="Twitter"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fresearch%2Fa-storm-is-brewing-ipstorm-now-has-linux-malware%2F&amp;linkname=A%20Storm%20is%20Brewing%3A%20IPStorm%20Now%20Has%20Linux%20Malware" title="LinkedIn" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/linkedin.png" alt="LinkedIn"></a></div></div>        <div class="top-posts">
            <h3>Top Blogs</h3>
            <div class="top-posts-cont owl-carousel"  id="owlposts" >
                    	    <div class="related-single item">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/cloud-security/dfir-infected-gitlab-server/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/11/BlogImage1024x475-253x139.png" alt="Conducting Digital Forensics Incident Response (DFIR) on an Infected GitLab Server" class="post-thumb" /></a>                    </span>
					                   
                    <h4>
                        <a href="https://www.intezer.com/blog/cloud-security/dfir-infected-gitlab-server/">Conducting Digital Forensics Incident Response (DFIR) on an Infected GitLab Server</a>
                    </h4>
					
						
				                    <span class="post-excerpt">GitLab servers are under attack with a now-patched critical vulnerability Earlier this week we...</span>	
                    <a href="https://www.intezer.com/blog/cloud-security/dfir-infected-gitlab-server/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/cloud-security/misconfigured-airflows-leak-credentials/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/10/BlogImage1024x475_v3-253x139.png" alt="Misconfigured Airflows Leak Thousands of Credentials from Popular Services" class="post-thumb" /></a>                    </span>
					                   
                    <h4>
                        <a href="https://www.intezer.com/blog/cloud-security/misconfigured-airflows-leak-credentials/">Misconfigured Airflows Leak Thousands of Credentials from Popular Services</a>
                    </h4>
					
						
				                    <span class="post-excerpt">This research refers to misconfigured Apache Airflow managed by individuals or organizations (&#8220;users&#8221;). As...</span>	
                    <a href="https://www.intezer.com/blog/cloud-security/misconfigured-airflows-leak-credentials/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/BlogImage1024x475-253x139.png" alt="Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike" class="post-thumb" /></a>                    </span>
					                   
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/">Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Key Findings Discovered Linux &amp; Windows re-implementation of Cobalt Strike Beacon written from scratch...</span>	
                    <a href="https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/" class="top-more">Read more</a>
        		</div>
        	            </div>
        </div>
<link rel="stylesheet" href="/wp-content/themes/intezer-v2/css/owl.carousel.min.css">

<script type="text/javascript" src="/wp-content/themes/intezer-v2/js/owl.carousel.min.js"></script>
 <script type="text/javascript">

     $(document).ready(function() {
	 
  $("#owlposts").owlCarousel({
            items: 1,
            loop: true,
            nav: flase,
	  dots: true,
            center: true,
            margin: 0,
            rewind: false,
            autoplay: true,
            autoplayTimeout: 6000,
	  animateIn: 'fadeIn',
              animateOut: 'fadeOut',
      responsive:{
        0:{
            items:1
        },
        600:{
            items:1
        }
      },
      onInitialized:setDots,
      onChanged:setDots

        });
		 });




			       
	</script>
</div></div><div class="col-md-9 blog-main"><div class="single-post-content"><h2 class="int-blg" style="padding-top: 15px;"><strong>Introduction<br />
</strong></h2>
<p>The development of cross-platform malware is not new, however, we continue to observe a number of malware that were previously documented only targeting Windows now <a href="https://www.intezer.com/blog/cloud-security/looking-back-on-the-last-decade-of-linux-apt-attacks/">targeting the Linux platform</a>. One of these threats is IPStorm.</p>
<p>In May 2019, researchers from <a href="https://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network" target="_blank" rel="noopener noreferrer">Anomali</a> discovered a new Golang malware targeting Windows, which they dubbed <strong>IPStorm </strong>(InterPlanetary Storm).<strong> </strong>IPStorm is a botnet that abuses a legitimate Peer-to-peer (p2p) network called InterPlanetary File System (IPFS) as a means to obscure malicious traffic. It was found the malware eventually allowed attackers to execute arbitrary PowerShell commands on the victim’s Windows machine.</p>
<p>Our research team recently identified new Linux variants of IPStorm targeting various Linux architectures (ARM, AMD64, Intel 80386) and platforms (servers, Android, IoT). We have also detected a macOS variant. The macOS variant and most of the Linux samples are fully undetected in VirusTotal at the time of this publication. IPStorm is written in Golang, which enabled <a href="https://analyze.intezer.com" target="_blank" rel="noopener noreferrer">Intezer Analyze</a> to detect cross-platform code connections between the Linux samples and the Windows malware first reported by Anomali.</p>
<p>The Linux variant has additional features over the documented Windows version, such as using <strong>SSH brute-force</strong> as a means to spread to additional victims and <strong>fraudulent network activity</strong> abusing <a href="https://store.steampowered.com/" target="_blank" rel="noopener noreferrer">Steam</a> gaming and advertising platforms. The Linux variant has adjusted some features in order to account for the fundamental differences that exist between this operating system and Windows.</p>
<p>In this post, we will present a code relations graph between the IPStorm Windows and Linux samples, analyze one of the Linux variant’s behavior, and compare its features and capabilities to the old Windows samples to track its evolution. Following we will take a deeper dive into some notable features and explain how to respond to this threat.</p>
<h2 class="int-blg" style="padding-top: 15px;"><strong>Technical Analysis</strong></h2>
<p>Most of the IPStorm Linux samples were fully undetected before we submitted them for genetic analysis in <a href="http://analyze.intezer.com" target="_blank" rel="noopener noreferrer">Intezer Analyze</a>.</p>
<p>In this post, we will focus on the <strong>658638c6bef52e03e6aea4b6c1b2b3b8d81ad40144b56b2122d96e6957c33117</strong> Linux sample.<br />
<img loading="lazy" width="784" height="245" class="wp-image-12419 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-2.png" alt="pasted image 0 2" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-2.png 784w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-2-300x94.png 300w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-2-768x240.png 768w" data-lazy-sizes="(max-width: 784px) 100vw, 784px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-2.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="784" height="245" class="wp-image-12419" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-2.png" alt="pasted image 0 2" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-2.png 784w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-2-300x94.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-2-768x240.png 768w " sizes="(max-width: 784px) 100vw, 784px" /></noscript></p>
<p><em>658638c6bef52e03e6aea4b6c1b2b3b8d81ad40144b56b2122d96e6957c33117 sample undetected in VirusTotal.</em></p>
<p>Because IPStorm is written in Golang, not only can we observe strong code connections between the different Linux variants, we can also identify connections to IPStorm’s Windows samples uploaded to our system in 2019.<br />
<a href="https://analyze.intezer.com/files/658638c6bef52e03e6aea4b6c1b2b3b8d81ad40144b56b2122d96e6957c33117/families/def3dd22-fe33-45f0-9e75-52dc332f65e1" target="_blank" rel="noopener noreferrer nofollow"><br />
<img loading="lazy" width="1348" height="691" class="wp-image-12431 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-14.png" alt="pasted image 0 14" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-14.png 1348w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-14-300x154.png 300w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-14-1024x525.png 1024w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-14-768x394.png 768w" data-lazy-sizes="(max-width: 1348px) 100vw, 1348px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-14.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1348" height="691" class="wp-image-12431" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-14.png" alt="pasted image 0 14" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-14.png 1348w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-14-300x154.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-14-1024x525.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-14-768x394.png 768w " sizes="(max-width: 1348px) 100vw, 1348px" /></noscript></a></p>
<p>The following map emphasizes code similarities between the different versions and operating systems. The nodes represent the individual samples and the lines are the code relations between them. All samples are linked to each other in some way:</p>
<ul>
<li style="color: blue;"><strong>IPStorm PE files from 2019</strong></li>
<li style="color: green;"><strong>IPStorm ELF files from 2020</strong></li>
</ul>
<p><img loading="lazy" width="820" height="648" class="wp-image-12424 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-7.png" alt="pasted image 0 7" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-7.png 820w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-7-300x237.png 300w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-7-768x607.png 768w" data-lazy-sizes="(max-width: 820px) 100vw, 820px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-7.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="820" height="648" class="wp-image-12424" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-7.png" alt="pasted image 0 7" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-7.png 820w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-7-300x237.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-7-768x607.png 768w " sizes="(max-width: 820px) 100vw, 820px" /></noscript></p>
<p>The graph depicts three main clusters, with each cluster containing samples that have strong code connections between them:</p>
<ul>
<li>PE, intel 80386 architecture</li>
<li>ELF, intel 80386 architecture</li>
<li>ELF, amd x86-64 architecture</li>
</ul>
<p>You will also notice shared code exists between the ELF clusters and the ELF and PE intel 80386 architecture clusters.</p>
<p>You can use the <strong>cluster_directory.py</strong> API script in this <a href="https://github.com/intezer/analyze-scripts" target="_blank" rel="noopener noreferrer">GitHub</a> repository to create a cluster graph of your own.</p>
<h2 class="int-blg" style="padding-top: 15px;"><strong>Linux Variant Behavior Flow</strong></h2>
<p>The Linux variant symbols are stripped. Using the plugin <a href="https://github.com/sibears/IDAGolangHelper" target="_blank" rel="noopener noreferrer">IDAGolangHelper</a> we retrieved the file’s symbols and saw exactly which packages the malware contains. A package in Go is a bundle of Go source files which make up a specific functionality. Every Go source file belongs to a package.</p>
<p>The Linux malware’s main logic is implemented in a package called <strong>storm_starter</strong>, a new package that was not in the Windows version. All logic was implemented via the main function in the Windows version.</p>
<p>Both versions have similarities in the way the main flow is implemented, however, the Linux instances have additional features and adjusted some logic due to the differences that exist between the two operating systems.</p>
<p>The Linux iteration starts by disabling the out-of-memory (OOM) killer in order to prevent it from terminating the malware. It then proceeds to check for any processes related to Antiviruses or other security tools that may prevent further execution of the malware. Next the malware generates and saves pubkeys in a file called <strong>strom.key</strong>. The location of where this key is saved is based on privileges that the malware was executed with. If the malware was executed with root privileges, the key will be stored at <strong>/etc/storm.key</strong>. Otherwise, it will be saved at <strong>/tmp/storm.key</strong>. The malware then tries to establish connections with other nodes in the peer to peer network.</p>
<p>The malware sends HTTP requests to different services such as <strong>diagnostic[.]opendns[.]com/myip, ifconfig[.]io/ip</strong>, and <strong>myip[.]dnsomatic[.]com</strong> to receive the external IP address of the victim server. If the malware is running as root, it will create a service under systemd to achieve persistence and copy itself to <strong>/usr/bin/storm</strong>. Otherwise, it will be copied to<strong> /tmp/storm</strong>. The malware will then relaunch itself from the new installation path.</p>
<p>This new process is responsible for executing the main features of the IPStorm malware, including reverse shell, which was previously seen in the Windows variant—maintaining connection with other peers in the P2P network and a new feature for spreading the malware to other victims.</p>
<p><a href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-1.png" data-slb-group="post-images" data-slb-active="1" data-slb-asset="1470104078" data-slb-internal="0"><img loading="lazy" width="1529" height="671" class="wp-image-12418 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-1.png" alt="pasted image 0 1" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-1.png 1529w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-1-300x132.png 300w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-1-1024x449.png 1024w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-1-768x337.png 768w" data-lazy-sizes="(max-width: 1529px) 100vw, 1529px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-1.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1529" height="671" class="wp-image-12418" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-1.png" alt="pasted image 0 1" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-1.png 1529w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-1-300x132.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-1-1024x449.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-1-768x337.png 768w " sizes="(max-width: 1529px) 100vw, 1529px" /></noscript></a><br />
<em>IPStorm Linux output non-privileged user.</em></p>
<h2 class="int-blg" style="padding-top: 15px;"><strong>Linux vs. Windows Comparison<br />
</strong></h2>
<p>Comparing IPStorm <strong>Linux version 0.2.05a</strong> to <strong>Windows version 0.0.2m</strong>, it became clear the developer added features and altered existing ones to attack Linux platforms.</p>
<p id="h.swro60j7rpyd"><strong>Packages Comparison</strong><br />
The malware is composed of different Golang packages with each package providing a different feature. The following table categorizes package comparisons between the two versions:</p>
<table style="color: #627d98;">
<tbody>
<tr>
<td><strong>Golang Package</strong></td>
<td><strong>Functionality</strong></td>
<td><strong>Linux Version</strong></p>
<p><strong>V</strong><strong>ersion </strong><strong>0.2.05a</strong><strong> (20</strong><strong>20</strong><strong>)</strong></td>
<td><strong>Windows Version </strong></p>
<p><strong>Version 0.0.2m</strong></p>
<p><strong>(2019)</strong></td>
</tr>
<tr>
<td>scan_tools</td>
<td>Scans for potential victims</td>
<td><strong>+</strong></td>
<td><strong>&#8211;</strong></td>
</tr>
<tr>
<td>web_api_client</td>
<td>Handles HTTP requests and responses</td>
<td><strong>+</strong></td>
<td><strong>&#8211;</strong></td>
</tr>
<tr>
<td>p2p (part of the web API)</td>
<td>HTTP over P2P</td>
<td><strong>+</strong></td>
<td><strong>&#8211;</strong></td>
</tr>
<tr>
<td>reque_client</td>
<td>Handles the communication of peers in the network</td>
<td><strong>+</strong></td>
<td><strong>&#8211;</strong></td>
</tr>
<tr>
<td>commander</td>
<td>Handles HTTP requests</td>
<td><strong>+</strong></td>
<td><strong>&#8211;</strong></td>
</tr>
<tr>
<td>starter</td>
<td>Implements the main logic of the malware (basically the “main function”)</td>
<td><strong>+</strong></td>
<td><strong>&#8211;</strong></td>
</tr>
<tr>
<td>malware-guard</td>
<td>Antivirus evasion</td>
<td><strong>+</strong></td>
<td><strong>&#8211;</strong></td>
</tr>
<tr>
<td>avbypass</td>
<td>Antivirus evasion</td>
<td><strong>&#8211;</strong></td>
<td><strong>+</strong></td>
</tr>
<tr>
<td>backshell</td>
<td>In charge of the reverse shell</td>
<td><strong>+</strong></td>
<td><strong>+</strong></td>
</tr>
<tr>
<td>ddb</td>
<td>Database</td>
<td><strong>+</strong></td>
<td><strong>+</strong></td>
</tr>
<tr>
<td>filetransfer</td>
<td>Persistence and managing file transfering to other peers</td>
<td><strong>+</strong></td>
<td><strong>+</strong></td>
</tr>
<tr>
<td>logging</td>
<td>Output log</td>
<td><strong>+</strong></td>
<td><strong>+</strong></td>
</tr>
<tr>
<td>node</td>
<td>Responsible for advertising the node, getting the external IP, and maintaining connection with other nodes.</td>
<td><strong>+</strong></td>
<td><strong>+</strong></td>
</tr>
<tr>
<td>powershell</td>
<td>In Windows, in charge of the powershell artifact in the backdoor. In the Linux variant, the package has only one function copied from the Windows version and is used for achieving reverse shell.</td>
<td><strong>+</strong></td>
<td></td>
</tr>
<tr>
<td>util</td>
<td>Utility functions</td>
<td><strong>+</strong></td>
<td><strong>+</strong></td>
</tr>
<tr>
<td>ddbinterface</td>
<td>DB functions</td>
<td><strong>+</strong></td>
<td><strong>+</strong></td>
</tr>
<tr>
<td>proxy</td>
<td>Implements Socks5 Proxy</td>
<td><strong>+</strong></td>
<td><strong>+</strong></td>
</tr>
</tbody>
</table>
<p><strong><u>Note</u>:</strong> We compared <strong>Linux version 0.2.05a</strong> to <strong>Windows version 0.0.2m </strong>which was analyzed in Anomali’s report. However, the malware is frequently being updated and we have observed multiple different versions since, so functionalities may differ between them.</p>
<h2 class="int-blg" style="padding-top: 15px; padding-bottom: 10px;"><strong>Features Comparison</strong></h2>
<p id="h.efhyc68rz9y1"><strong>Scanning tools &#8211; Android and SSH brute-force</strong><br />
The Linux variant attempts to spread and infect other victims on the internet by using SSH brute-force. Once a connection is established, the malware will check if the victim server is a honeypot by comparing the hostname of the attacked server to the string “svr04”, which is the default hostname of Cowrie SSH honeypot. If the malware identifies a honeypot it will close the connection, otherwise it will proceed to download the payload and infect the server.</p>
<p><img loading="lazy" width="1013" height="407" class="wp-image-12435 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-18.png" alt="pasted image 0 18" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-18.png 1013w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-18-300x121.png 300w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-18-768x309.png 768w" data-lazy-sizes="(max-width: 1013px) 100vw, 1013px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-18.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1013" height="407" class="wp-image-12435" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-18.png" alt="pasted image 0 18" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-18.png 1013w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-18-300x121.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-18-768x309.png 768w " sizes="(max-width: 1013px) 100vw, 1013px" /></noscript><br />
<em>Validation of whether the server is a honeypot or not.</em></p>
<p>Another spreading method that is unique to the Linux version is searching for potential Android victims. The malware checks for devices connected with ADB (Android Debug Bridge) to the victim node. Once identified, it will upload an Android version of IPStorm to the device, which was previously downloaded from the P2P network.</p>
<p><img loading="lazy" width="1552" height="103" class="wp-image-12417 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0.png" alt="pasted image 0" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0.png 1552w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-300x20.png 300w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-1024x68.png 1024w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-768x51.png 768w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-1536x102.png 1536w" data-lazy-sizes="(max-width: 1552px) 100vw, 1552px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1552" height="103" class="wp-image-12417" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0.png" alt="pasted image 0" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0.png 1552w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-300x20.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-1024x68.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-768x51.png 768w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-1536x102.png 1536w " sizes="(max-width: 1552px) 100vw, 1552px" /></noscript><br />
<em>Screen capture from the log of the storm service showing the downloaded file.</em></p>
<p id="h.efhyc68rz9y1"><strong>Antivirus Evasion<br />
</strong>Both IPStorm Windows and Linux versions implement features related to detection evasion and each variant uses a different technique. In the Linux version, the package in charge of this logic is called <strong><em>storm_malware_guard</em></strong>. The file iterates through all current running processes in order to find and terminate ones that might detect the malware’s activity.</p>
<p>The function under the <em><strong>storm_malware_guard</strong></em> package that implements this technique is called <em><strong>KillSuspiciousProcesses</strong></em>. Other functions in this package are responsible for obtaining information about the CPU and memory usage, number of I/O ports, and functions that return information about processes and threads.</p>
<p>In the Windows version, the AV evasion logic is implemented in a package called <em><strong>avbypass</strong></em>.</p>
<p>This technique is based on random sleep times and multiple function calls. The purpose of this method is to make tracing the original process harder for Antivirus solutions.</p>
<p>It appears that due to the different operating systems, each IPStorm version has its own way to evade detection.</p>
<p id="h.k517z47d1rvg"><strong>Reverse Shell<br />
</strong>Both IPStorm versions use the name backshell to refer to the feature of reverse shell.</p>
<p>The backshell functions of the Linux variant are identical to those of the Windows variant.</p>
<p>The Windows variant has a package called <strong>powershell</strong> which contains functions for achieving reverse shell. The same package is present in the Linux variant but it contains only one function: <strong>storm_powershell__ptr_Backend_StartProcess</strong><em>. </em>The function is used to get a reverse shell on the infected system.</p>
<p>The implementation of the reverse shell is a clear example of the code reuse connections between the two IPStorm variants. The screengrabs below demonstrate changes in the file names and the identical function names found in the two versions:</p>
<p><strong><u>Linux</u>:</strong></p>
<p><img loading="lazy" width="415" height="69" class="wp-image-12428 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-11.png" alt="pasted image 0 11" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-11.png 415w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-11-300x50.png 300w" data-lazy-sizes="(max-width: 415px) 100vw, 415px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-11.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="415" height="69" class="wp-image-12428" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-11.png" alt="pasted image 0 11" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-11.png 415w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-11-300x50.png 300w " sizes="(max-width: 415px) 100vw, 415px" /></noscript></p>
<p><img loading="lazy" width="417" height="165" class="wp-image-12427 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-10.png" alt="pasted image 0 10" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-10.png 417w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-10-300x119.png 300w" data-lazy-sizes="(max-width: 417px) 100vw, 417px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-10.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="417" height="165" class="wp-image-12427" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-10.png" alt="pasted image 0 10" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-10.png 417w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-10-300x119.png 300w " sizes="(max-width: 417px) 100vw, 417px" /></noscript></p>
<p><strong><u>Windows</u>:</strong></p>
<p><img loading="lazy" width="378" height="429" class="wp-image-12437 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-20.png" alt="pasted image 0 20" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-20.png 378w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-20-264x300.png 264w" data-lazy-sizes="(max-width: 378px) 100vw, 378px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-20.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="378" height="429" class="wp-image-12437" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-20.png" alt="pasted image 0 20" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-20.png 378w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-20-264x300.png 264w " sizes="(max-width: 378px) 100vw, 378px" /></noscript></p>
<p><img loading="lazy" width="386" height="183" class="wp-image-12434 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-17.png" alt="pasted image 0 17" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-17.png 386w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-17-300x142.png 300w" data-lazy-sizes="(max-width: 386px) 100vw, 386px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-17.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="386" height="183" class="wp-image-12434" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-17.png" alt="pasted image 0 17" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-17.png 386w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-17-300x142.png 300w " sizes="(max-width: 386px) 100vw, 386px" /></noscript></p>
<p id="h.rs82oipy00qe"><strong>Persistence<br />
</strong>The Linux version will attempt to gain persistence only if it was executed with root privileges. The Windows version, on the other hand, will always look to gain persistence. It is evident that each variant of the malware, Linux and Windows, uses a different technique to gain persistence since the operating systems they target are fundamentally different.</p>
<p>The Windows variant achieves persistence by copying itself to a random location and adding the program to the: <strong><em>HKCU:SoftwareMicrosoftWindowsCurrentVersionRun</em></strong>registry key.</p>
<p>The Linux version achieves persistence by creating a <strong>systemd</strong> service under /etc/systemd/system/storm.service.</p>
<p><img loading="lazy" width="614" height="372" class="wp-image-12425 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-8.png" alt="pasted image 0 8" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-8.png 614w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-8-300x182.png 300w" data-lazy-sizes="(max-width: 614px) 100vw, 614px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-8.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="614" height="372" class="wp-image-12425" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-8.png" alt="pasted image 0 8" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-8.png 614w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-8-300x182.png 300w " sizes="(max-width: 614px) 100vw, 614px" /></noscript><br />
<em>/etc/systemd/system/storm.service</em></p>
<p><img loading="lazy" width="431" height="152" class="wp-image-12433 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-16.png" alt="pasted image 0 16" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-16.png 431w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-16-300x106.png 300w" data-lazy-sizes="(max-width: 431px) 100vw, 431px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-16.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="431" height="152" class="wp-image-12433" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-16.png" alt="pasted image 0 16" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-16.png 431w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-16-300x106.png 300w " sizes="(max-width: 431px) 100vw, 431px" /></noscript><br />
<em>The function that archives persistence in the Linux variant.</em></p>
<p>Another difference is the location to which the file is copied. The Windows variant uses random file paths while the Linux version uses fixed paths.</p>
<p id="h.d575t88s7n13"><strong>Network Traffic</strong><br />
On top of creating a reverse shell, we have detected that IPStorm’s Linux variant takes advantage of its being widespread to perform different fraudulent activity in the background, abusing gaming and ads monetization. Because it’s a botnet, the malware utilizes the large amount of requests from different trusted sources, thus not being blocked nor traceable. This activity was not observed in the Windows variant.</p>
<p><u><strong>Steam Gaming Fraud</strong></u></p>
<p><a href="https://store.steampowered.com/" target="_blank" rel="noopener noreferrer">Steam</a> is a popular gaming service from <a href="https://www.valvesoftware.com/en/" target="_blank" rel="noopener noreferrer">Valve Corporation</a> and is used by hundreds of millions users worldwide. It also provides an API for developers who want to use Steam data on their own websites.</p>
<p>As part of the monetization process for game developers, Steam users can buy and sell different items such as equipment, skins, and other in-game elements. This platform is so popular that it has become a hot target for cybercriminals. A known method used by attackers is creating phishing websites to lure users to submit their Steam login credentials. With access to a user’s credentials the attacker has full access to the the account, API key included.</p>
<p>We noticed IPStorm generates a large amount of traffic to Steam’s API, querying data pertaining to various Steam users and using multiple valid API keys.</p>
<p><img loading="lazy" width="655" height="753" class="wp-image-12421 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-4.png" alt="pasted image 0 4" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-4.png 655w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-4-261x300.png 261w" data-lazy-sizes="(max-width: 655px) 100vw, 655px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-4.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="655" height="753" class="wp-image-12421" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-4.png" alt="pasted image 0 4" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-4.png 655w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-4-261x300.png 261w " sizes="(max-width: 655px) 100vw, 655px" /></noscript></p>
<p>We suspect these are stolen accounts that are being monitored as part of a fake trade scam. <a href="https://www.skinwallet.com/csgo/how-to-avoid-steam-api-key-scam/" target="_blank" rel="noopener noreferrer">Browse here</a> for more information about this scam.</p>
<p><u><strong>Ad Fraud</strong></u></p>
<p>The malware generates requests which imitate fake advertisements clicks. All the ads we have traced are related to pornographic websites. The malware crawls through different predefined sites, searches for advertisement iframes, and imitates a user “click” by browsing through the iframes.</p>
<p><img loading="lazy" width="1225" height="689" class="wp-image-12432 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-15.png" alt="pasted image 0 15" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-15.png 1225w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-15-300x169.png 300w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-15-1024x576.png 1024w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-15-768x432.png 768w" data-lazy-sizes="(max-width: 1225px) 100vw, 1225px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-15.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1225" height="689" class="wp-image-12432" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-15.png" alt="pasted image 0 15" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-15.png 1225w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-15-300x169.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-15-1024x576.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-15-768x432.png 768w " sizes="(max-width: 1225px) 100vw, 1225px" /></noscript><br />
<em>Example of a request the malware generates to an ad platform.</em></p>
<p><img loading="lazy" width="972" height="312" class="wp-image-12422 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-5.png" alt="pasted image 0 5" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-5.png 972w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-5-300x96.png 300w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-5-768x247.png 768w" data-lazy-sizes="(max-width: 972px) 100vw, 972px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-5.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="972" height="312" class="wp-image-12422" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-5.png" alt="pasted image 0 5" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-5.png 972w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-5-300x96.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-5-768x247.png 768w " sizes="(max-width: 972px) 100vw, 972px" /></noscript><br />
<em>Websites the malware crawls through.</em></p>
<h2 class="int-blg" style="padding-top: 15px; padding-bottom: 10px;"><strong>IPStorm Detection and Response</strong></h2>
<p id="h.e9u59ghn02nu"><strong>Compromised System Detection</strong><br />
You can take the following steps to check if your system has been attacked by the IPStorm malware.</p>
<ul>
<li>Check if the process of IPStorm is running on your system.<br />
Run: <strong>pstree | grep storm</strong><br />
<img loading="lazy" width="374" height="57" class="wp-image-12429 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-12.png" alt="pasted image 0 12" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-12.png 374w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-12-300x46.png 300w" data-lazy-sizes="(max-width: 374px) 100vw, 374px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-12.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="374" height="57" class="wp-image-12429" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-12.png" alt="pasted image 0 12" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-12.png 374w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-12-300x46.png 300w " sizes="(max-width: 374px) 100vw, 374px" /></noscript>IPStorm will usually run with multiple threads.</li>
</ul>
<ul>
<li>Check the services that run on your system, since if the malware was executed with root privileges it would create a service for persistence.<br />
Run: <strong>sudo systemctl status strom.service</strong><img loading="lazy" width="830" height="173" class="wp-image-12426 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-9.png" alt="pasted image 0 9" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-9.png 830w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-9-300x63.png 300w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-9-768x160.png 768w" data-lazy-sizes="(max-width: 830px) 100vw, 830px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-9.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="830" height="173" class="wp-image-12426" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-9.png" alt="pasted image 0 9" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-9.png 830w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-9-300x63.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-9-768x160.png 768w " sizes="(max-width: 830px) 100vw, 830px" /></noscript></li>
</ul>
<ul>
<li>Check if IPStorm’s files exist in your system.<br />
Run:<strong> sudo find / -name “storm*” -type f</strong></p>
<ul>
<li>In case of a <u>non-root</u> execution the output will look similar to the screen capture below:<img loading="lazy" width="519" height="59" class="wp-image-12430 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-13.png" alt="pasted image 0 13" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-13.png 519w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-13-300x34.png 300w" data-lazy-sizes="(max-width: 519px) 100vw, 519px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-13.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="519" height="59" class="wp-image-12430" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-13.png" alt="pasted image 0 13" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-13.png 519w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-13-300x34.png 300w " sizes="(max-width: 519px) 100vw, 519px" /></noscript></li>
<li>If the malware was executed with <u>root </u>privileges, the output will look similar to the screen capture below:<br /><img loading="lazy" width="493" height="92" class="wp-image-12420 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-3.png" alt="pasted image 0 3" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-3.png 493w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-3-300x56.png 300w" data-lazy-sizes="(max-width: 493px) 100vw, 493px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-3.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="493" height="92" class="wp-image-12420" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-3.png" alt="pasted image 0 3" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-3.png 493w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-3-300x56.png 300w " sizes="(max-width: 493px) 100vw, 493px" /></noscript></li>
</ul>
</li>
</ul>
<ul>
<li>Check the open ports on your system and the processes that are associated with them. Run: <strong>sudo ss -tulpn</strong><br />
In the screen capture below a number of processes that belong to the IPStorm malware listen on specific ports.<a href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-21.png" data-slb-group="post-images" data-slb-active="1" data-slb-asset="8478830" data-slb-internal="0"><img loading="lazy" width="1600" height="251" class="wp-image-12438 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-21.png" alt="pasted image 0 21" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-21.png 1600w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-21-300x47.png 300w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-21-1024x161.png 1024w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-21-768x120.png 768w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-21-1536x241.png 1536w" data-lazy-sizes="(max-width: 1600px) 100vw, 1600px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-21.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1600" height="251" class="wp-image-12438" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-21.png" alt="pasted image 0 21" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-21.png 1600w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-21-300x47.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-21-1024x161.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-21-768x120.png 768w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-21-1536x241.png 1536w " sizes="(max-width: 1600px) 100vw, 1600px" /></noscript></a></li>
</ul>
<ul>
<li>Use freely the <a href="https://www.intezer.com/join-intezer-protect-community-edition/" target="_blank" rel="noopener noreferrer">Intezer Protect</a> community beta to identify which process is running on your system. The screen capture below is taken from the alert of IPStorm executed on a server. The info provided by the system includes the malware family name, full path of the executable, the process ID, execution time, and a link to Intezer Analyze where you can observe code reuse prevalent in this malware.<a href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-6.png" data-slb-group="post-images" data-slb-active="1" data-slb-asset="97324924" data-slb-internal="0"><img loading="lazy" width="1600" height="820" class="wp-image-12423 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-6.png" alt="pasted image 0 6" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-6.png 1600w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-6-300x154.png 300w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-6-1024x525.png 1024w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-6-768x394.png 768w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-6-1536x787.png 1536w" data-lazy-sizes="(max-width: 1600px) 100vw, 1600px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-6.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1600" height="820" class="wp-image-12423" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-6.png" alt="pasted image 0 6" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-6.png 1600w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-6-300x154.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-6-1024x525.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-6-768x394.png 768w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-6-1536x787.png 1536w " sizes="(max-width: 1600px) 100vw, 1600px" /></noscript></a></li>
</ul>
<p id="h.e9u59ghn02nu"><strong>How to Terminate IPStorm on a Compromised System</strong></p>
<ul>
<li>If the malware runs as a service you should stop the service by executing the command:<br />
<strong>sudo systemctl stop storm.service</strong></li>
<li>Delete all the files that are related to the IPStorm malware. The file paths are mentioned in the previous section.</li>
<li>Kill the process by running: <strong>sudo pkill -9 storm</strong></li>
</ul>
<p id="h.e9u59ghn02nu"><strong>Response<br />
</strong>We are providing a <a href="https://github.com/intezer/yara-rules/blob/master/IPStorm.yar" target="_blank" rel="noopener noreferrer">YARA rule</a> intended to be run against in-memory artifacts in order to be able to detect these implants.</p>
<p><strong>System Security Hardening</strong></p>
<ul class="int-blg">
<li>Make sure your SSH connection is secured. Use a key instead of a password or use multi-factor authentication. <a href="https://www.techrepublic.com/article/5-quick-ssh-hardening-tips/" target="_blank" rel="noopener noreferrer">Browse here</a> for more tips about SSH hardening.</li>
<li>Make sure your system is updated to the latest software and aligned with most recent security best practices.</li>
<li>Use a runtime cloud workload protection solution such as <a href="https://www.intezer.com/intezer-protect/" target="_blank" rel="noopener noreferrer">Intezer Protect</a>. Protect provides full runtime visibility over the code in your system and alerts on any suspicious or unauthorized code that deviates from the secure baseline.</li>
</ul>
<h2 class="int-blg" style="padding-top: 5px;"><strong>Summary</strong></h2>
<p>IPStorm now with Linux malware is the latest example of a cross-platform malware developed in Golang. Platforms that are compromised by IPStorm are not only exposed to a backdoor to their services but are also added to the IPStorm Botnet which attempts to spread to other victims. The attackers behind IPStorm are very active evidenced by the frequent release of updated versions with new features and improvements, as well as the expansion to several different platforms and architectures.</p>
<p>IPStorm is part of a growing list of Golang ELF malware that have been spotted attacking live servers in the past six months alone, together with <a href="https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/">Kaiji</a>, <a href="https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability" target="_blank" rel="noopener noreferrer">Kinsing</a>, and <a href="https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/" target="_blank" rel="noopener noreferrer">FritzFrog</a>.</p>
<p><strong>We want to give a special thanks to Paul Litvak and Michael Kajiloti for their help contributing to this analysis.</strong></p>
<p>Both IPStorm Linux and Windows samples are indexed in Intezer Analyze and you can detect this and other cross-platform malware with the code reuse feature for Golang, just by uploading a file or hash to the system. Below is the analysis of one of the Linux samples.</p>
<p><a href="https://analyze.intezer.com/files/658638c6bef52e03e6aea4b6c1b2b3b8d81ad40144b56b2122d96e6957c33117" target="_blank" rel="noopener noreferrer nofollow"><br />
<img loading="lazy" width="1406" height="453" class="wp-image-12436 jetpack-lazy-image" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-19.png" alt="pasted image 0 19" data-lazy-srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-19.png 1406w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-19-300x97.png 300w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-19-1024x330.png 1024w, https://www.intezer.com/wp-content/uploads/2020/10/pasted-image-0-19-768x247.png 768w" data-lazy-sizes="(max-width: 1406px) 100vw, 1406px" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-19.png?is-pending-load=1" srcset=""><noscript><img loading="lazy" width="1406" height="453" class="wp-image-12436" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-19.png" alt="pasted image 0 19" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-19.png 1406w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-19-300x97.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-19-1024x330.png 1024w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/10/pasted-image-0-19-768x247.png 768w " sizes="(max-width: 1406px) 100vw, 1406px" /></noscript></a></p>
<p>Subscribe to our <a href="https://www.intezer.com/resource/intezer-request-access-to-our-weekly-low-detected-linux-threat-feed/">weekly threat feed</a> to receive the latest low-detected Linux threat hashes.</p>
<h2 class="int-blg" style="padding-top: 15px;"><strong>IOCs</strong></h2>
<p><strong>Linux</strong></p>
<p>3aff4695c73709e2e0e55665c4850aa45064723a2c83e75325b27e77ec5f6d97</p>
<p>b80346c4d31d77fba9427024d34af2f43e64a5272b5bbef28c6bf045a06143ff</p>
<p>d233c37f2d49badbf53d054bce7fb8e787c9973067e8dcd79835d7816aacfa43</p>
<p>658638c6bef52e03e6aea4b6c1b2b3b8d81ad40144b56b2122d96e6957c33117</p>
<p>bfb69eadee1918a9402478c76dd15696bbac3e3e3e57c9a94c7d51e594b8c657</p>
<p>64abc2cf5866e932b0731a6deb487aa3d9756724250de26bac2fb930cd478dc0</p>
<p>52f215521ba59cb6a51314bd1527f1c540ffc04df924ad971ca2160405879778</p>
<p>aa7639b11f7c852005110e5ac34c9a2c94c562bcc95dbf6f60a1a7192cf8ea77</p>
<p>cae8a782765dd0f97e7a812a245cc5b94b3179ced9c8181d0fda13978c9f17be</p>
<p>5103133574615fb49f6a94607540644689be017740d17005bc08b26be9485aa7</p>
<p>08bf31862577567a56bf3be6425f1ddf4ac90914efd883a75a5a53dbcabd28a2</p>
<p>984c5e980fb8a5b7bbc673f923f22ddf06c5dd89fcd0acf774d79d4d193b44c8</p>
<p>591770835066958e912ceb445bd865e961ac946e8cf70ced9f0bd75c851d9478</p>
<p>69ea7bcf3da16d968e6104745c1f015f6371c093188f1061a311a6385985b45b</p>
<p>fbd5e48ee691df949e0dd3687755c80cc5b9d1a1a89e7dc486694370697de893</p>
<p>c247b3c07b4bf13da67c51d5834193d128c45c7e41214096090b5d2610313783</p>
<p>f4f1fb65df80666fe67b22b84d9d8f967449d1249c33ad97f4305784fa41e747</p>
<p>ef226de8cc53e59c9431838085f3bbd1b8a32f7cc135682033a3fdba19a0ee97</p>
<p>dfeecdd23f28f80e42e58c87c9a4858648964b3100dfb899c61b54aed7856cf7</p>
<p>db9c95bdc4247ff6cdaf8a8e47b4add21a730461d8f6e2693136aecd346b3fb5</p>
<p>b4c75e1d94bc4c8affd6d9f433585ace2738772e6a04403ab67cce3df9574068</p>
<p>b07c2dfb4c57175446b6188bb4b1722272f63a301f18c5f46ee6401347894fea</p>
<p>a5468b6130d90bc74cf8e458297f6d4c7fc42b87184623aefd535bca658542ed</p>
<p>7c41de95313dc98a3fc4f6fe3910759c3561743dacc629dab11e754290f8c7aa</p>
<p>7b044b8eddd20d8e1c7d499a6c34b1bc373f5fe9d59bab7b4e3a341a5f4ce0b5</p>
<p>79ec318a968679f94d2ab0ba15daaeeb71406d2f744eb0cd1b314c4bb403114d</p>
<p>52b081dbaafbbae8ad812f9c50a1a5f7d8b0850b3c6dc69eccb3322f34286c2e</p>
<p>50406ec7fa22c78e9b14da4ccc127a899db21f7a23b1916ba432900716e0db3d</p>
<p>1d0e003ee653d1a7b80ff5e69c33689af04e45fc836a29e0853219dd100fd534</p>
<p>16bcb323bfb464f7b1fcfb7530ecb06948305d8de658868d9c3c3c31f63146d4</p>
<p><strong>macOS</strong></p>
<p>522a5015d4d11833ead6d88d4405c0f4119ff29b1f64b226c464e958f03e1434</p>
<div class="author-box-bottom clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/07/Screenshot_20200720-202117__01-60x60.png" class="user-photo"><div class="user-bio"><strong> Nicole Fishbein</strong><div class="share-author"><a href="https://twitter.com/NicoleFishi19" target="_blank" class="twitter-link"><i class="fa fa-twitter" aria-hidden="true"></i></a></div><p>Nicole is a malware analyst and reverse engineer. Prior to Intezer she was an embedded researcher in the Israel Defense Forces (IDF) Intelligence Corps.</p></div></div><div class="author-box-bottom clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/06/IMG_20200610_100615-60x60.jpg" class="user-photo"><div class="user-bio"><strong> Avigayil Mechtinger</strong><div class="share-author"></div><p>Avigayil is a security researcher and malware analyst at Intezer having previously worked as a cyber analyst at CheckPoint.</p></div></div><div class="post-tags"> <a href="https://www.intezer.com/tag/ipstorm/" rel="tag">IPStorm</a> <a href="https://www.intezer.com/tag/linux/" rel="tag">Linux</a> <a href="https://www.intezer.com/tag/malware/" rel="tag">malware</a></div><nav class="post-nav clearfix"><div class="prev-post"><a href="https://www.intezer.com/blog/research/advanced-pasta-threat-mapping-malware-use-of-open-source-offensive-security-tools/" rel="prev"></a><div class="post-link clear"><h4><a href="https://www.intezer.com/blog/research/advanced-pasta-threat-mapping-malware-use-of-open-source-offensive-security-tools/" rel="prev">VB2020 &#8211; Advanced Pasta Threat: Mapping Malware Use of Open Source Offensive Security Tools</a></h4></div></div><div class="next-post"><a href="https://www.intezer.com/blog/malware-analysis/emotet-evolves-but-code-remains-mostly-the-same/" rel="next"></a><div class="post-link clear"><h4><a href="https://www.intezer.com/blog/malware-analysis/emotet-evolves-but-code-remains-mostly-the-same/" rel="next">Emotet Evolves but Code Remains Mostly the Same</a></h4></div></div></nav>        <div class="related-posts">
            <h3>Recomended Articles</h3>
            <ul class="row related-cont">
                    	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/cloud-security/dfir-infected-gitlab-server/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/11/BlogImage1024x475-253x139.png" alt="Conducting Digital Forensics Incident Response (DFIR) on an Infected GitLab Server" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 5</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/cloud-security/dfir-infected-gitlab-server/">Conducting Digital Forensics Incident Response (DFIR) on an Infected GitLab Server</a>
                    </h4>
					
						
				                    <span class="post-excerpt">GitLab servers are under attack with a now-patched critical vulnerability Earlier this week we...</span>	
                    <span class="post-date">4 November 2021</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/cloud-security/misconfigured-airflows-leak-credentials/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/10/BlogImage1024x475_v3-253x139.png" alt="Misconfigured Airflows Leak Thousands of Credentials from Popular Services" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 9</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/cloud-security/misconfigured-airflows-leak-credentials/">Misconfigured Airflows Leak Thousands of Credentials from Popular Services</a>
                    </h4>
					
						
				                    <span class="post-excerpt">This research refers to misconfigured Apache Airflow managed by individuals or organizations (&#8220;users&#8221;). As...</span>	
                    <span class="post-date">4 October 2021</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/BlogImage1024x475-253x139.png" alt="Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 7</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/">Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Key Findings Discovered Linux &amp; Windows re-implementation of Cobalt Strike Beacon written from scratch...</span>	
                    <span class="post-date">13 September 2021</span>
        		</li>
        	            </ul>
        </div>
</div></div><div class="col-md-1"></div></div>
		    </div>
			
		

		   

				
				
	    </div>
		

    </div>

<script>

	
$(document).ready(function() {
	$('.form-title').val('Subscribe to Blog Side');
	    $('div.single-post-page').find('a').addClass('blog-text-link');
	 $( "div.btn-sub-show" ).click(function() {
$("div.blog-side-subscribe").addClass("show");
 
});

		
		 var blogbtn = $('div.btn-sub-show').offset();

    var $window = $(window);
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		$("div.btn-sub-show").removeClass("fixed");
$("div.blog-side-subscribe").removeClass("show");
        }
    
    $window.scroll(function() {
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		$("div.btn-sub-show").removeClass("fixed");
	$("div.blog-side-subscribe").removeClass("show");
        }
		
    });			
});  
   

    </script>
<footer>
            <div class="container">
                <div class="row">
					<div class="footer-logo-cont"><img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/intezer-logo-b.png" alt="intezer footer logo" title="" class="footer-logo">
						<div class="social footer-right">
                            <ul>
<li><a href="https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ?view_as=subscriber" target="_blank"><i class="fa fa-youtube" aria-hidden="true" title="youtube"></i></a></li>
								<li><a href="https://www.facebook.com/IntezerLabs/" target="_blank"><i class="fa fa-facebook" aria-hidden="true" title="facebook"></i></a></li>
								 <li><a href="https://www.linkedin.com/company/intezer-labs" target="_blank"><i class="fa fa-linkedin" aria-hidden="true" title="Linkedin"></i></a></li>
                                <li><a href="https://twitter.com/intezerlabs" target="_blank"><i class="fa fa-twitter" aria-hidden="true" title="twitter"></i></a></li>
 								<li><a href="https://www.intezer.com/rss-feed/"><i class="fa fa-rss" aria-hidden="true" title="RSS"></i></a></li>
                            </ul>
                        </div>
					
					</div>

                    <div class="footer-left">
						
                        <ul id="menu-footer-1" class="footer-1"><li id="menu-item-20981" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20981 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Solutions </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-1453" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-1453 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Analyze</a></li>
	<li id="menu-item-12276" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-12276 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-protect/">Protect</a></li>
</ul>
</li>
<li id="menu-item-213" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-213 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15963" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15963 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-2061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2061 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15892" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15892 nav-item"><a class="nav-link" href="https://support.intezer.com/hc/en-us">Docs</a></li>
	<li id="menu-item-7244" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7244 nav-item"><a class="nav-link" href="https://www.intezer.com/why-intezer/">Why Intezer</a></li>
	<li id="menu-item-3098" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-3098 nav-item"><a class="nav-link" href="https://www.intezer.com/technology/">Technology</a></li>
	<li id="menu-item-21934" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21934 nav-item"><a class="nav-link" href="https://www.intezer.com/security/">Security</a></li>
</ul>
</li>
<li id="menu-item-20982" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20982 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-7169" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7169 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-216" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-216 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-215" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-215 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-7168" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7168 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-8418" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8418 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
	<li id="menu-item-7167" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7167 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-events/">Events</a></li>
</ul>
</li>
</ul>                    </div>
					
					
        
                </div>
            </div>
			
        </footer>
        <div id="credit">
            <div class="container">
                <div>
               
                © Intezer.com 2021 All rights reserved					 
                        <ul id="menu-footer-2" class="footer-2"><li id="menu-item-59" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-59"><a href="https://www.intezer.com/terms-of-use/">Terms of Use</a></li>
<li id="menu-item-222" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-privacy-policy menu-item-222"><a href="https://www.intezer.com/privacy/">Privacy Policy</a></li>
</ul>                        
                 
		
					
                </div> 
				
				
				
            </div>       
        </div>
        <!-- <div class="back-to-top">
            <a href="javascript:void(0);" id="return-to-top">
                <img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/uparrow.png"  width="40" height="40" />
            </a>
        </div> -->
        <script type="text/javascript">
	$(window).scroll(function() {
    var nav = $('#main-menu');
    var toppopheight = $('#top-bar-spacer').height();
    var top = 140;
    if ($(window).scrollTop() >= top) {
        nav.addClass('botborder');
		nav.css({ top: toppopheight });
    } else {
        nav.removeClass('botborder');
     nav.css({ top: 0 });
    }
});
</script>
	   <link rel='stylesheet' id='elementor-frontend-legacy-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-frontend-legacy.min.css?ver=3.4.8' media='all' />
<link rel='stylesheet' id='elementor-frontend-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-frontend.min.css?ver=1637134910' media='all' />
<style id='elementor-frontend-inline-css' type='text/css'>
@font-face{font-family:eicons;src:url(https://www.intezer.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.eot?5.10.0);src:url(https://www.intezer.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.eot?5.10.0#iefix) format("embedded-opentype"),url(https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff2?5.10.0) format("woff2"),url(https://www.intezer.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff?5.10.0) format("woff"),url(https://www.intezer.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.ttf?5.10.0) format("truetype"),url(https://www.intezer.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.svg?5.10.0#eicon) format("svg");font-weight:400;font-style:normal}
</style>
<link rel='stylesheet' id='elementor-post-16929-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-16929.css?ver=1637134911' media='all' />
<link rel='stylesheet' id='elementor-post-17075-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-17075.css?ver=1637134911' media='all' />
<link rel='stylesheet' id='elementor-icons-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/eicons/css/elementor-icons.min.css?ver=5.13.0' media='all' />
<link rel='stylesheet' id='elementor-post-8921-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-8921.css?ver=1637134912' media='all' />
<link rel='stylesheet' id='elementor-pro-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-pro-frontend.min.css?ver=1637134912' media='all' />
<link rel='stylesheet' id='e-animations-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/animations/animations.min.css?ver=3.4.8' media='all' />
<link rel='stylesheet' id='google-fonts-1-css'  href='https://fonts.googleapis.com/css?family=Roboto%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic%2C400%2C400italic%2C500%2C500italic%2C600%2C600italic%2C700%2C700italic%2C800%2C800italic%2C900%2C900italic%7CRoboto+Slab%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic%2C400%2C400italic%2C500%2C500italic%2C600%2C600italic%2C700%2C700italic%2C800%2C800italic%2C900%2C900italic&#038;display=auto&#038;ver=0aeebf0e297002559f8cf4ab5cad896d' media='all' />
<script type='text/javascript' src='https://c0.wp.com/c/5.8.2/wp-includes/js/dist/vendor/regenerator-runtime.min.js' id='regenerator-runtime-js'></script>
<script type='text/javascript' src='https://c0.wp.com/c/5.8.2/wp-includes/js/dist/vendor/wp-polyfill.min.js' id='wp-polyfill-js'></script>
<script type='text/javascript' id='contact-form-7-js-extra'>
/* <![CDATA[ */
var wpcf7 = {"api":{"root":"https:\/\/www.intezer.com\/wp-json\/","namespace":"contact-form-7\/v1"},"cached":"1"};
/* ]]> */
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.5.2' id='contact-form-7-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/dynamicconditions/Public/js/dynamic-conditions-public.js?ver=1.5.1' id='dynamic-conditions-js'></script>
<script type='text/javascript' id='leadin-script-loader-js-js-extra'>
/* <![CDATA[ */
var leadin_wordpress = {"userRole":"visitor","pageType":"post","leadinPluginVersion":"8.4.329"};
/* ]]> */
</script>
<script type='text/javascript' src='https://js.hs-scripts.com/5492986.js?integration=WordPress' async defer id='hs-script-loader'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/tether.min.js?ver=0aeebf0e297002559f8cf4ab5cad896d' id='tether_js-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/bootstrap.min.js?ver=0aeebf0e297002559f8cf4ab5cad896d' id='bootstrap_js-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/main.js?ver=0aeebf0e297002559f8cf4ab5cad896d' id='intezer-main-scripts-js'></script>
<script type='text/javascript' src='https://c0.wp.com/c/5.8.2/wp-includes/js/dist/hooks.min.js' id='wp-hooks-js'></script>
<script type='text/javascript' id='wpdreams-ajaxsearchlite-js-before'>
window.ASL = typeof window.ASL !== 'undefined' ? window.ASL : {}; window.ASL.wp_rocket_exception = "DOMContentLoaded"; window.ASL.ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.backend_ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.js_scope = "jQuery"; window.ASL.detect_ajax = 0; window.ASL.scrollbar = true; window.ASL.js_retain_popstate = 0; window.ASL.version = 4750; window.ASL.min_script_src = ["https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/jquery.ajaxsearchlite.min.js"]; window.ASL.highlight = {"enabled":false,"data":[]}; window.ASL.fix_duplicates = 1; window.ASL.analytics = {"method":0,"tracking_id":"","string":"?ajax_search={asl_term}","event":{"focus":{"active":1,"action":"focus","category":"ASL","label":"Input focus","value":"1"},"search_start":{"active":0,"action":"search_start","category":"ASL","label":"Phrase: {phrase}","value":"1"},"search_end":{"active":1,"action":"search_end","category":"ASL","label":"{phrase} | {results_count}","value":"1"},"magnifier":{"active":1,"action":"magnifier","category":"ASL","label":"Magnifier clicked","value":"1"},"return":{"active":1,"action":"return","category":"ASL","label":"Return button pressed","value":"1"},"facet_change":{"active":0,"action":"facet_change","category":"ASL","label":"{option_label} | {option_value}","value":"1"},"result_click":{"active":1,"action":"result_click","category":"ASL","label":"{result_title} | {result_url}","value":"1"}}};
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/jquery.ajaxsearchlite.min.js?ver=4.9.5' id='wpdreams-ajaxsearchlite-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-lazy-images/dist/intersection-observer.js?minify=false&#038;ver=2d4bf43f398489795f1893179047a63c' id='jetpack-lazy-images-polyfill-intersectionobserver-js'></script>
<script type='text/javascript' id='jetpack-lazy-images-js-extra'>
/* <![CDATA[ */
var jetpackLazyImagesL10n = {"loading_warning":"Images are still loading. Please cancel your print and try again."};
/* ]]> */
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-lazy-images/dist/lazy-images.js?minify=false&#038;ver=1c8bb5930b723e669774487342a8fa98' id='jetpack-lazy-images-js'></script>
<script type='text/javascript' id='wpcf7cf-scripts-js-extra'>
/* <![CDATA[ */
var wpcf7cf_global_settings = {"ajaxurl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"};
/* ]]> */
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/js/scripts.js?ver=2.0.7' id='wpcf7cf-scripts-js'></script>
<script type='text/javascript' src='https://www.google.com/recaptcha/api.js?render=6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD&#038;ver=3.0' id='google-recaptcha-js'></script>
<script type='text/javascript' id='wpcf7-recaptcha-js-extra'>
/* <![CDATA[ */
var wpcf7_recaptcha = {"sitekey":"6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD","actions":{"homepage":"homepage","contactform":"contactform"}};
/* ]]> */
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=5.5.2' id='wpcf7-recaptcha-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/client/js/prod/lib.core.js?ver=2.8.1' id='slb_core-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/client/js/prod/lib.view.js?ver=2.8.1' id='slb_view-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/themes/baseline/js/prod/client.js?ver=2.8.1' id='slb-asset-slb_baseline-base-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/themes/default/js/prod/client.js?ver=2.8.1' id='slb-asset-slb_default-base-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/template-tags/item/js/prod/tag.item.js?ver=2.8.1' id='slb-asset-item-base-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/template-tags/ui/js/prod/tag.ui.js?ver=2.8.1' id='slb-asset-ui-base-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/content-handlers/image/js/prod/handler.image.js?ver=2.8.1' id='slb-asset-image-base-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js?ver=3.5.1' id='elementor-pro-webpack-runtime-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js?ver=3.4.8' id='elementor-webpack-runtime-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js?ver=3.4.8' id='elementor-frontend-modules-js'></script>
<script type='text/javascript' id='elementor-pro-frontend-js-before'>
var ElementorProFrontendConfig = {"ajaxurl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php","nonce":"fa597ce5a5","urls":{"assets":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor-pro\/assets\/","rest":"https:\/\/www.intezer.com\/wp-json\/"},"i18n":{"toc_no_headings_found":"No headings were found on this page."},"shareButtonsNetworks":{"facebook":{"title":"Facebook","has_counter":true},"twitter":{"title":"Twitter"},"linkedin":{"title":"LinkedIn","has_counter":true},"pinterest":{"title":"Pinterest","has_counter":true},"reddit":{"title":"Reddit","has_counter":true},"vk":{"title":"VK","has_counter":true},"odnoklassniki":{"title":"OK","has_counter":true},"tumblr":{"title":"Tumblr"},"digg":{"title":"Digg"},"skype":{"title":"Skype"},"stumbleupon":{"title":"StumbleUpon","has_counter":true},"mix":{"title":"Mix"},"telegram":{"title":"Telegram"},"pocket":{"title":"Pocket","has_counter":true},"xing":{"title":"XING","has_counter":true},"whatsapp":{"title":"WhatsApp"},"email":{"title":"Email"},"print":{"title":"Print"}},"facebook_sdk":{"lang":"en_US","app_id":""},"lottie":{"defaultAnimationUrl":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor-pro\/modules\/lottie\/assets\/animations\/default.json"}};
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js?ver=3.5.1' id='elementor-pro-frontend-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/waypoints/waypoints.min.js?ver=4.0.2' id='elementor-waypoints-js'></script>
<script type='text/javascript' src='https://c0.wp.com/c/5.8.2/wp-includes/js/jquery/ui/core.min.js' id='jquery-ui-core-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/swiper/swiper.min.js?ver=5.3.6' id='swiper-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/share-link/share-link.min.js?ver=3.4.8' id='share-link-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/dialog/dialog.min.js?ver=4.8.1' id='elementor-dialog-js'></script>
<script type='text/javascript' id='elementor-frontend-js-before'>
var elementorFrontendConfig = {"environmentMode":{"edit":false,"wpPreview":false,"isScriptDebug":false},"i18n":{"shareOnFacebook":"Share on Facebook","shareOnTwitter":"Share on Twitter","pinIt":"Pin it","download":"Download","downloadImage":"Download image","fullscreen":"Fullscreen","zoom":"Zoom","share":"Share","playVideo":"Play Video","previous":"Previous","next":"Next","close":"Close"},"is_rtl":false,"breakpoints":{"xs":0,"sm":480,"md":768,"lg":1140,"xl":1440,"xxl":1600},"responsive":{"breakpoints":{"mobile":{"label":"Mobile","value":767,"default_value":767,"direction":"max","is_enabled":true},"mobile_extra":{"label":"Mobile Extra","value":880,"default_value":880,"direction":"max","is_enabled":false},"tablet":{"label":"Tablet","value":1139,"default_value":1024,"direction":"max","is_enabled":true},"tablet_extra":{"label":"Tablet Extra","value":1200,"default_value":1200,"direction":"max","is_enabled":false},"laptop":{"label":"Laptop","value":1366,"default_value":1366,"direction":"max","is_enabled":false},"widescreen":{"label":"Widescreen","value":2400,"default_value":2400,"direction":"min","is_enabled":false}}},"version":"3.4.8","is_static":false,"experimentalFeatures":{"e_import_export":true,"theme_builder_v2":true,"landing-pages":true,"elements-color-picker":true,"admin-top-bar":true,"form-submissions":true},"urls":{"assets":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor\/assets\/"},"settings":{"page":[],"editorPreferences":[]},"kit":{"viewport_tablet":1139,"active_breakpoints":["viewport_mobile","viewport_tablet"],"lightbox_enable_fullscreen":"yes","lightbox_title_src":"title","lightbox_description_src":"description"},"post":{"id":12439,"title":"A%20Storm%20is%20Brewing%3A%20IPStorm%20Now%20Has%20Linux%20Malware%20%E2%80%93%20Intezer","excerpt":"","featuredImage":"https:\/\/www.intezer.com\/wp-content\/uploads\/2020\/10\/shutterstock_1686249253-2-1024x404.jpg"}};
</script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.4.8' id='elementor-frontend-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/preloaded-elements-handlers.min.js?ver=3.5.1' id='pro-preloaded-elements-handlers-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/preloaded-modules.min.js?ver=3.4.8' id='preloaded-modules-js'></script>
<script type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.min.js?ver=3.5.1' id='e-sticky-js'></script>
<script type="text/javascript" id="slb_footer">/* <![CDATA[ */if ( !!window.jQuery ) {(function($){$(document).ready(function(){if ( !!window.SLB && SLB.has_child('View.init') ) { SLB.View.init({"ui_autofit":true,"ui_animate":true,"slideshow_autostart":false,"slideshow_duration":"6","group_loop":true,"ui_overlay_opacity":"0.8","ui_title_default":false,"theme_default":"slb_default","ui_labels":{"loading":"Loading","close":"Close","nav_next":"Next","nav_prev":"Previous","slideshow_start":"Start slideshow","slideshow_stop":"Stop slideshow","group_status":""}}); }
if ( !!window.SLB && SLB.has_child('View.assets') ) { {$.extend(SLB.View.assets, {"1470104078":{"id":12418,"type":"image","internal":true,"source":"https:\/\/www.intezer.com\/wp-content\/uploads\/2020\/10\/pasted-image-0-1.png","title":"pasted image 0","caption":"","description":""},"8478830":{"id":12438,"type":"image","internal":true,"source":"https:\/\/www.intezer.com\/wp-content\/uploads\/2020\/10\/pasted-image-0-21.png","title":"pasted image 0","caption":"","description":""},"97324924":{"id":12423,"type":"image","internal":true,"source":"https:\/\/www.intezer.com\/wp-content\/uploads\/2020\/10\/pasted-image-0-6.png","title":"pasted image 0","caption":"","description":""}});} }
/* THM */
if ( !!window.SLB && SLB.has_child('View.extend_theme') ) { SLB.View.extend_theme('slb_baseline',{"name":"Baseline","parent":"","styles":[{"handle":"base","uri":"https:\/\/www.intezer.com\/wp-content\/plugins\/simple-lightbox\/themes\/baseline\/css\/style.css","deps":[]}],"layout_raw":"<div class=\"slb_container\"><div class=\"slb_content\">{{item.content}}<div class=\"slb_nav\"><span class=\"slb_prev\">{{ui.nav_prev}}<\/span><span class=\"slb_next\">{{ui.nav_next}}<\/span><\/div><div class=\"slb_controls\"><span class=\"slb_close\">{{ui.close}}<\/span><span class=\"slb_slideshow\">{{ui.slideshow_control}}<\/span><\/div><div class=\"slb_loading\">{{ui.loading}}<\/div><\/div><div class=\"slb_details\"><div class=\"inner\"><div class=\"slb_data\"><div class=\"slb_data_content\"><span class=\"slb_data_title\">{{item.title}}<\/span><span class=\"slb_group_status\">{{ui.group_status}}<\/span><div class=\"slb_data_desc\">{{item.description}}<\/div><\/div><\/div><div class=\"slb_nav\"><span class=\"slb_prev\">{{ui.nav_prev}}<\/span><span class=\"slb_next\">{{ui.nav_next}}<\/span><\/div><\/div><\/div><\/div>"}); }if ( !!window.SLB && SLB.has_child('View.extend_theme') ) { SLB.View.extend_theme('slb_default',{"name":"Default (Light)","parent":"slb_baseline","styles":[{"handle":"base","uri":"https:\/\/www.intezer.com\/wp-content\/plugins\/simple-lightbox\/themes\/default\/css\/style.css","deps":[]}]}); }})})(jQuery);}/* ]]> */</script>
<script type="text/javascript" id="slb_context">/* <![CDATA[ */if ( !!window.jQuery ) {(function($){$(document).ready(function(){if ( !!window.SLB ) { {$.extend(SLB, {"context":["public","user_guest"]});} }})})(jQuery);}/* ]]> */</script>
		<script type="text/javascript">
			(function() {
			var t   = document.createElement( 'script' );
			t.type  = 'text/javascript';
			t.async = true;
			t.id    = 'gauges-tracker';
			t.setAttribute( 'data-site-id', '5fd5ade352684d3c97554910' );
			t.src = '//secure.gaug.es/track.js';
			var s = document.getElementsByTagName( 'script' )[0];
			s.parentNode.insertBefore( t, s );
			})();
		</script>
		<script src='https://stats.wp.com/e-202151.js' defer></script>
<script>
	_stq = window._stq || [];
	_stq.push([ 'view', {v:'ext',j:'1:10.5-a.3',blog:'186808338',post:'12439',tz:'0',srv:'www.intezer.com'} ]);
	_stq.push([ 'clickTrackerInit', '186808338', '12439' ]);
</script>
        <!-- Google Remarketing -->
        <script type="text/javascript"> /* <![CDATA[ */ var google_conversion_id = 842858921; var google_custom_params = window.google_tag_params; var google_remarketing_only = true; /* ]]> */ </script> <script type="text/javascript" src="//www.googleadservices.com/pagead/conversion.js"> </script> <noscript> <div style="display:inline;"> <img height="1" width="1" style="border-style:none;" alt="" src="//googleads.g.doubleclick.net/pagead/viewthroughconversion/842858921/?guid=ON&amp;script=0"/> </div> </noscript>
<!-- Start of HubSpot Embed Code -->
<script type="text/javascript" id="hs-script-loader" async defer src="//js.hs-scripts.com/5492986.js"></script>
<!-- End of HubSpot Embed Code -->
  
              

    </body>
</html>
<!--
	generated in 0.794 seconds
	191100 bytes batcached for 300 seconds
-->
